Three military contractors linked to post-RSA attacks

by Steve Ragan - Jun 1 2011, 21:05

So far this week, the news has focused on Lockheed Martin and L-3, two military contractors who appear to have suffered targeted attack attempts in the wake of the massive breach at RSA earlier this year. Now, a third contractor has emerged, as insiders place Northrop Grumman on the list.

The RSA link is clear, each of the three contractors are RSA customers using the compromised SecurID technology. In March, the security side of data management giant EMC was breached, which resulted in information related to RSA’s SecurID tokens being pilfered by the perpetrators.

In a public letter and separate 8-K filing with the SEC at the time, EMC’s Executive Chairman, Art Coviello, stated that while the information stolen doesn’t enable a direct attack on SecurID customers, it “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

To date, RSA says that the investigation into their breach is ongoing.

In May, Lockheed Martin detected attempts to access their network and revoked external network access as a result. In a statement, Lockheed said the potential attackers were unable to penetrate their network.

In interviews with the media, Sondra Barbour, Lockheed’s CIO, has stated that the company now uses RSA SecurID tokens that issue eight-digit codes instead of four-digit ones.

“Our policies, procedures and vigilance mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security,” Lockheed’s statement noted.

Shortly after Lockheed addressed their potential security crisis, Wired broke the story that another government contractor, L-3 Communications, warned their staff back in April that they were being “actively targeted with penetration attacks leveraging the compromised information” from the RSA breach.

L-3’s internal memo, leaked to Wired by an employee, did not say if the attacks were successful, only that they were being targeted. L-3 would offer no further information to Wired for their story. [Wired’s coverage is here]

On Wednesday, a Northrop Grumman employee told FoxNews that on May 26, the military contractor shutdown remote access in a sudden move that caught many staff members unaware. The rapid disconnection, including domain name and password resets, caused many to speculate that a breach had occurred.

Northrop would not confirm or deny a breach of any kind.

A spokesperson speaking to FoxNews said that, “We do not comment on whether or not Northrop Grumman is or has been a target for cyber intrusions.”

[FoxNews report on Northrop]

It’s interesting to note that word of these attempted attacks are surfacing at a time when the Pentagon has said that cyber attacks from a foreign country could be treated as an act of war.

This is in addition to reports on North Korea’s work to expand their cyber warfare unit, and China’s admission of a “Blue Army”, mostly defensive in nature, but comprised of skilled technical operators who could launch state sanctioned attacks.

Around the Web